1. Field of Invention
This invention relates generally to security in computer networks.
2. Prior Art
A typical identity management deployment for an organization will incorporate a directory service. In a typical directory service, one or more server computers host instances of directory server software. These directory servers implement the server side of a directory access protocol, such as the X.500 Directory Access Protocol (DAP), as defined in the document ITU-T Rec. X.519 “Information technology—Open Systems Interconnection—The Directory: Protocol specifications”, or the Lightweight Directory Access Protocol (LDAP), as defined in the document “Lightweight Directory Access Protocol (v3)”, by M. Wahl et al of December 1997. The client side of the directory access protocol is implemented in other components of the identity management deployment, such as an identity manager or access manager.
A directory access protocol follows a request-response model of interaction, in which the client establishes a connection to a directory server, and over that connection, sends one or more requests. The directory server processes those requests and sends responses over that connection. The types of requests in a directory access protocol include:                the bind request, in which the client sends its authentication information to the server,        the search request, in which the client requests one or more entries in the server's directory information tree be returned,        the modify request, in which the client requests that the set of attributes be changed in an entry in the server's directory information tree, andthe delete request, in which the client requests that an entry be removed from the server's directory information tree.        
A directory server typically generates an access log in a text file or in a relational database. A typical directory server adds a log record to the access log for each of the following categories of events:                an incoming connection from a directory client,        a connection from a directory client is closed,        a request is received on a connection from a directory client, and        a response is sent on a connection to a directory client.        
One prior art format for a directory server log is specified in chapter 8 (Access Logs and Connection Codes) of the document “Sun ONE Directory Server 5.2 Reference Manual” published by Sun Microsystems Inc. in 2003.
A directory-enabled access control system comprises a set of middleware components which rely upon a directory server to maintain information about the users in an enterprise, in particular, each user's authentication credentials and access rights.
Typically, an implementation of a directory-enabled access control system in the prior art will, when a user attempts to authenticate by providing their name and credential, send a search request to a directory server to locate the entry for that user. If an entry is found for that user, then the implementation either may read an attribute containing a credential from the returned directory entry and compare that credential with a credential presented by the user, or the implementation may send a bind request to the directory server to perform the comparison, in which the bind request comprises the distinguished name of the entry and the credential supplied by the user.